admin: add option to declare roles are managed by identity provider (#13789)

2016-10-28 10:47:47 +02:00 · 2016-10-28 10:47:47 +02:00 · b254184559
parent 6cc90e31a9
commit b254184559
5 changed files with 47 additions and 5 deletions
--- a/tests/test_admin_pages.py
+++ b/tests/test_admin_pages.py
@ -2489,6 +2489,36 @@ def test_users_edit_edit_account(pub):
    assert PasswordAccount.has_key('foo')
    assert PasswordAccount.get('foo').user_id == user.id

+def test_users_edit_with_managing_idp(pub):
+    create_role()
+    pub.user_class.wipe()
+    pub.cfg['sp'] = {'idp-manage-user-attributes': True}
+    pub.write_cfg()
+    PasswordAccount.wipe()
+    create_superuser(pub)
+    user = pub.user_class(name='foo bar')
+    user.store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/users/%s/' % user.id)
+    assert '>Manage Roles<' in resp.body
+    resp = resp.click(href='edit')
+    assert not 'email' in resp.form.fields
+    assert 'roles$added_elements' in resp.form.fields
+
+    pub.cfg['sp'] = {'idp-manage-roles': True}
+    pub.write_cfg()
+    resp = app.get('/backoffice/users/%s/' % user.id)
+    assert '>Edit<' in resp.body
+    resp = resp.click(href='edit')
+    assert 'email' in resp.form.fields
+    assert not 'roles$added_elements' in resp.form.fields
+
+    pub.cfg['sp'] = {'idp-manage-roles': True, 'idp-manage-user-attributes': True}
+    pub.write_cfg()
+    resp = app.get('/backoffice/users/%s/' % user.id)
+    assert not '/edit' in resp.body
+
 def test_users_delete(pub):
    pub.user_class.wipe()
    PasswordAccount.wipe()
--- a/tests/test_hobo.py
+++ b/tests/test_hobo.py
@ -322,6 +322,8 @@ def test_configure_authentication_methods():

    assert len(pub.cfg['idp'].keys()) == 1
    assert pub.cfg['saml_identities']['registration-url']
+    assert pub.cfg['sp']['idp-manage-user-attributes']
+    assert pub.cfg['sp']['idp-manage-roles']

 def test_deploy():
    cleanup()
--- a/wcs/admin/users.py
+++ b/wcs/admin/users.py
@ -25,7 +25,7 @@ from qommon.backoffice.listing import pagination_links
 from wcs.roles import Role

 import qommon.ident
-from qommon.ident.idp import is_idp_managing_user_attributes
+from qommon.ident.idp import is_idp_managing_user_attributes, is_idp_managing_user_roles
 from qommon.form import *
 from qommon.admin.emails import EmailsDirectory
 from qommon.backoffice.menu import html_top
@ -54,8 +54,9 @@ class UserUI(object):
                formdef.add_fields_to_form(form, form_data = self.user.form_data)
            form.add(CheckboxWidget, 'is_admin', title = _('Administrator Account'),
                    value = self.user.is_admin)
+
        roles = list(Role.select(order_by='name'))
-        if len(roles):
+        if len(roles) and not is_idp_managing_user_roles():
            form.add(WidgetList, 'roles', title = _('Roles'), element_type = SingleSelectWidget,
                    value = self.user.roles,
                    add_element_label = _('Add Role'),
@ -214,9 +215,9 @@ class UserPage(Directory):
        r = TemplateIO(html=True)
        r += htmltext('<ul id="sidebar-actions">')

-        if is_idp_managing_user_attributes():
+        if is_idp_managing_user_attributes() and not is_idp_managing_user_roles():
            r += htmltext('<li><a href="edit">%s</a></li>') % _('Manage Roles')
-        else:
+        elif not (is_idp_managing_user_attributes() and is_idp_managing_user_roles()):
            r += htmltext('<li><a href="edit">%s</a></li>') % _('Edit')
        r += htmltext('<li><a href="delete" rel="popup">%s</a></li>') % _('Delete')

--- a/wcs/ctl/check_hobos.py
+++ b/wcs/ctl/check_hobos.py
@ -215,6 +215,7 @@ class CmdCheckHobos(Command):
        if not pub.cfg.get('sp'):
            pub.cfg['sp'] = {}
        pub.cfg['sp']['idp-manage-user-attributes'] = bool(idps)
+        pub.cfg['sp']['idp-manage-roles'] = bool(idps)
        pub.write_cfg()

        if not idps:
--- a/wcs/qommon/ident/idp.py
+++ b/wcs/qommon/ident/idp.py
@ -48,6 +48,9 @@ ADMIN_TITLE = N_('SAML2')
 def is_idp_managing_user_attributes():
    return get_cfg('sp', {}).get('idp-manage-user-attributes', False)

+def is_idp_managing_user_roles():
+    return get_cfg('sp', {}).get('idp-manage-roles', False)
+
 def get_file_content(filename):
    try:
        return open(filename,'r').read()
@ -844,6 +847,10 @@ class MethodAdminDirectory(Directory):
                title = _('IdP manage user attributes'),
                value = get_cfg('sp',{}).get('idp-manage-user-attributes', False))

+        form.add(CheckboxWidget, 'idp-manage-roles',
+                title = _('IdP manage roles'),
+                value = get_cfg('sp',{}).get('idp-manage-roles', False))
+
        form.add_submit('submit', _('Submit'))
        form.add_submit('cancel', _('Cancel'))
        if x509utils.can_generate_rsa_key_pair():
@ -920,7 +927,8 @@ class MethodAdminDirectory(Directory):
                'saml2_providerid', 'saml2_base_url', 'common_domain_getter_url',
                'grab_user_with_id_wsf', 'identity-creation',
                'authn-request-signed', 'want-assertion-signed',
-                'idp-manage-user-attributes'):
+                'idp-manage-user-attributes',
+                'idp-manage-roles'):
            if form.get_widget(k):
                cfg_sp[k] = form.get_widget(k).parse()